DomainKeys Identified Mail (DKIM) is an email authentication standard that uses cryptographic signatures to verify that an email message was authorized by the domain owner and was not altered in transit. Though often shortened to "Domainkeys," the technology merges Yahoo's original DomainKeys protocol with Cisco's Identified Internet Mail to create a system defined in RFC 6376. For marketers, DKIM is critical because major mailbox providers now block unauthenticated bulk email, and valid signatures directly impact whether your campaigns reach the inbox or the spam folder.
What is Domainkeys?
Domainkeys refers to the family of domain-level email authentication methods that attach a digital signature to outgoing messages. The current standard, DKIM, allows a signer (the domain owner or their email service) to claim responsibility for a message by affixing a signature that receivers can validate using public key cryptography. While the original DomainKeys specification (RFC 4870) is now historic, modern DKIM superseded it in 2007 and was elevated to Internet Standard status in 2013.
The system operates independently of the SMTP envelope. It signs the RFC 5322 message (headers and body), meaning signatures survive relaying across multiple message transfer agents. The signing organization can be the original author, a mail submission agent, or an intermediary service.
Why Domainkeys matters
- Delivery requirements: [Google and Yahoo began requiring DKIM authentication for bulk senders in February 2024] (Google). Messages lacking valid DKIM face rejection or spam folder routing.
- Spoofing prevention: DKIM cryptographically proves that the email was sent by an authorized server and that content was not modified, blocking phishing attempts that impersonate your brand.
- Reputation building: Valid signatures create a history of trustworthy sending for your domain, helping mailbox providers distinguish legitimate marketing from forged emails.
- Abuse reduction: When receivers can verify your messages via DKIM, your domain receives fewer false abuse complaints from spoofed emails.
How Domainkeys works
- Generate keys: The email infrastructure creates a private key for signing messages and a public key for verification.
- Publish to DNS: The public key is inserted into a DNS TXT record under a selector subdomain (format:
selector._domainkey.domain.com). - Sign outgoing mail: The sending server generates a hash of the email body and selected headers (always including the From field), encrypts this hash with the private key, and adds a
DKIM-Signatureheader. - DNS lookup: The receiving server extracts the selector (
s=) and domain (d=) from the signature, then queries DNS for the public key. - Verify: The server decrypts the signature using the public key and compares it to a freshly computed hash of the received message. Matching values confirm integrity and authenticity.
Key components:
- Selector: A string identifier (e.g., big-email or 2024a) that allows multiple keys to exist under one domain, enabling key rotation and third-party service usage.
- Canonicalization: The process of standardizing text before hashing. "Simple" mode requires exact matches; "relaxed" allows minor whitespace changes.
Variations
DKIM supports multiple cryptographic algorithms to balance security and DNS record size:
| Algorithm | Standard | Characteristics |
|---|---|---|
| RSA | RFC 6376 | Traditional standard; keys must be 1024-4096 bits per [RFC 8301 updates from January 2018] (RFC 8301) |
| Ed25519 | RFC 8463 | Elliptic curve method added in September 2018; provides strong security with shorter public keys that fit DNS records more easily |
Best practices
- Rotate keys quarterly: Regular rotation limits exposure if a key is compromised. Publish new keys in DNS before retiring old ones to avoid delivery interruptions.
- Use adequate key lengths: [512-bit keys can be factored in as little as 24 hours using standard computing resources] (Wired). Generate at least 1024-bit RSA keys or use Ed25519.
- Set expiration tags: Include the optional
x=tag in signatures to limit the window for replay attacks using stolen messages. - Sign essential headers: Always sign the From field (required by RFC 6376) and include Subject and Date to prevent tampering.
- Omit body length limits: Avoid the
l=tag, which signs only a portion of the body and allows attackers to append malicious content after the signature. - Test configurations: Verify DNS records and signatures using validation tools before launching campaigns.
Common mistakes
- Mistake: Using deprecated ADSP policies. [ADSP was demoted to historic status in November 2013] (IETF). Fix: Implement DMARC instead to define handling policies for authentication failures.
- Mistake: Short DKIM keys. Keys under 1024 bits are vulnerable to factorization attacks. Fix: Use 1024-bit or 2048-bit RSA keys, or transition to Ed25519.
- Mistake: Ignoring mailing list modifications. Most mailing lists append footers or modify subjects, breaking DKIM signatures. Fix: Use ARC (Authenticated Received Chain) to preserve authentication results across intermediaries, or whitelist known forwarders.
- Mistake: Forgetting DNS updates. Rotating signing keys without updating the corresponding DNS TXT record causes immediate verification failures. Fix: Update DNS before changing the key on your email server.
- Mistake: Assuming DKIM stops all phishing. DKIM verifies authorization but cannot prevent a compromised legitimate account from sending malware. Fix: Layer DKIM with SPF and DMARC policies.
Examples
Example scenario: A marketing team uses an ESP to send campaigns from @company.com. The ESP provides selector s1. The team publishes a TXT record at s1._domainkey.company.com containing the public key. When Gmail receives the email, it sees the DKIM-Signature header with s=s1 and d=company.com, queries DNS, validates the signature against the public key, and delivers the email to the inbox instead of spam.
Verification rates: [OpenDKIM testing across 21 mail servers found 92.3% of DKIM signatures verified successfully] (IETF Implementation Report), dropping to 90.5% for mailing list traffic due to content modifications.
FAQ
What is the difference between DomainKeys and DKIM? DomainKeys was Yahoo's original specification (RFC 4870, now historic). DKIM merged DomainKeys with Cisco's Identified Internet Mail in 2007 and became the current Internet Standard (RFC 6376).
Is DKIM required for email marketing? Yes. As of February 2024, Google and Yahoo require DKIM (along with SPF) for bulk senders, defined as those sending over 5,000 messages per day to Gmail users.
How do I check if DKIM is working?
Send a test email to a verification service and inspect the headers. Look for DKIM=pass in the Authentication-Results header, or query your DNS directly for selector._domainkey.yourdomain.com to confirm the TXT record exists.
What happens if DKIM verification fails? Receiving servers typically do not reject messages solely based on DKIM failure. Instead, they rely on your DMARC policy to determine whether to quarantine or reject the message.
Can DKIM prevent all phishing? No. DKIM verifies that the signing domain authorized the message, but an attacker with account credentials can still sign malicious emails. It also does not protect against display name spoofing or lookalike domains.
How long should DKIM keys be? RFC 8301 mandates RSA keys between 1024 and 4096 bits. Avoid 512-bit keys, which researchers demonstrated could be factored in 24-72 hours using cloud computing resources.
What is a DKIM selector? A selector is a string that identifies which DNS record contains the public key for a specific key pair. It allows multiple keys (for different services or rotation periods) to coexist under one domain.
